It has become a hot topic again: the role that external auditors play in uncovering fraud. The ING settlement has stirred up the public debate about the responsibility external auditors have to identify fraud: ‘ING case dishes up recurring question: Do external auditors’ duties include combating fraud?’(Het Financieele Dagblad, 16 September 2018) and ‘Auditors disagree about their role in uncovering fraud’ (het Financieele Dagblad, 20 August 2018).
But what exactly is expected from external auditors in terms of combating fraud? The opinions on this topic vary greatly, which prompted the Netherlands Institute of Chartered Accountants (NBA) to prepare a draft fraud protocol. The draft fraud protocol sets out in broad outline what may be expected in the various phases of an external audit in terms of combating fraud based on regulations currently in force. The principal responsibility for investigating fraud lies with companies, but auditors must remain involved and must make arrangements in advance about their audits. Thus, the protocol does not contain any new information. According to the NBA, the draft fraud protocol should be used as the basis for a dialogue with practitioners and other stakeholders.
As far as we are concerned, the discussion should focus more on a more elementary question: What constitutes fraud in this context? Fraud is not a legal term, as it does not appear in the Dutch Criminal Code. The NBA’s draft fraud protocol describes fraud as “deliberate misrepresentation to obtain unlawful gains”, a definition which is based on Auditing Standard 240 and the Audit Firms Supervision Decree (Besluit toezicht accountantsorganisaties).
Auditing Standard 240 defines fraud as: “An intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal advantage.” In addition, according to Auditing Standard 240, the auditor must focus on fraud that causes a material misstatement of the financial statements. In this respect, according to Auditing Standard 240, two types of fraud are important: (1) misstatements resulting from fraudulent financial reporting, and (2) misstatements resulting from the misappropriation of assets. Therefore, in the further explanation given below, the concept of fraud in Auditing Standard 240 is limited to two specific forms of fraud. The background to this limitation is in line with the core duty of auditors: checking whether the financial statements give a true and fair view.
In light of the definition of ‘fraud’ and the explanation of fraud given in Auditing Standard 240, it is unclear whether the ‘fraud’ that was committed at ING is one that the auditor should have discovered. It is a question that was also rightly raised in the article recently published by the NBA’s Advisory Board on Profession Regulation (‘What may be expected from auditors regarding compliance with the Dutch Money Laundering and Terrorist Financing (Prevention) Act (‘Wwft’) at banks?’). After all, violation of the Wwft or other criminal statues need not necessarily be an intentional act, involving the use of deception to obtain an unjust or illegal advantage. For example, the ING case also involved ‘culpable money laundering’ – an offense that does not require intent.
Given the debate that has resurfaced in connection with the ING case, many will probably say that auditors may also be expected to include an investigation into companies’ compliance with laws and regulations, including the Wwft in some cases, in their audits. As the aforementioned article correctly states, an investigation into compliance with the Wwft is less in-depth than audits conducted of financial statements. The reason for this lies with the definition of ‘fraud’ given in Auditing Standard 240.
Thus, the societal concept of ‘fraud’ differs from the technical definition given in the auditing standards and so therefore societal expectations do not match the current practice prescribed by the auditing standards. This blurs the discussion about the role auditors play in fighting fraud. The draft fraud protocol should perhaps point this (and the background to that limitation) out more clearly.
Another suggestion regarding the draft fraud protocol would be to include a number of concrete practical examples of fraud and signs of fraud in it. The Financial Intelligence Unit (FIU) regularly publishes anonymous examples of the prevention of money laundering and terrorist financing. Practical examples provide a better understanding of what may be expected from auditors, which will enable auditors to better live up to those expectations and will give society a better understanding of what may be expected.
A final point, which relates more to the audit itself, is that the integrity of senior management of companies is a relevant aspect when it comes to auditing financial statements. A new provision recently introduced in the Wwft prescribes that institutions that come under the Wwft must appoint one senior manager who is responsible for ensuring compliance with the Wwft. If there are indications that this senior manager does not devote sufficient attention to this, this may lead auditors to monitor this more closely. Consequently, such indications could indirectly lead to auditors’ paying increased attention to compliance with the Wwft.
If you have any questions or would like to discuss how to identify fraud, please feel free to contact us.